Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pinal.shah Send to a Friend Addon send-booking-invites-to-friends allows Reflected XSS.This issue affects Send to a Friend Addon: from n/a through <= 1.4.1.
Published: 2025-03-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper neutralization of input during web page generation in the WordPress Send to a Friend Addon allows reflected XSS. This flaw can allow an attacker to inject malicious JavaScript into a page viewed by a victim, potentially enabling cookie theft, session hijacking, or other client‑side attacks. The vulnerability aligns with CWE‑79.

Affected Systems

The flaw exists in the WordPress plugin pinal.shah Send to a Friend Addon, versions up to and including 1.4.1, which can be installed on any WordPress site that uses this plugin.

Risk and Exploitability

With a CVSS score of 7.1 the vulnerability is considered high severity, yet the EPSS score of less than 1% indicates a low probability of exploitation as of the current data. It is not listed in the CISA KEV catalog. The likely attack vector is via a crafted URL or form submission that triggers the plugin’s unsanitized echo of user input. An attacker would need to entice or trick a user to visit such a link or fill the form; no privileged access or additional conditions are required.

Generated by OpenCVE AI on May 1, 2026 at 14:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Send to a Friend Addon to a version newer than 1.4.1 that contains the fix
  • If an update is not available, uninstall or disable the plugin entirely on the affected WordPress sites
  • Configure a web‑application firewall or equivalent security plug‑in to block or filter suspicious script content that exploits the Send to a Friend feature
  • Audit the WordPress instance for other potential XSS vectors and ensure that all input is properly sanitized or escaped

Generated by OpenCVE AI on May 1, 2026 at 14:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5691 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pinal.shah Send to a Friend Addon allows Reflected XSS. This issue affects Send to a Friend Addon: from n/a through 1.4.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pinal.shah Send to a Friend Addon allows Reflected XSS. This issue affects Send to a Friend Addon: from n/a through 1.4.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pinal.shah Send to a Friend Addon send-booking-invites-to-friends allows Reflected XSS.This issue affects Send to a Friend Addon: from n/a through <= 1.4.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 04 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 03 Mar 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pinal.shah Send to a Friend Addon allows Reflected XSS. This issue affects Send to a Friend Addon: from n/a through 1.4.1.
Title WordPress Send to a Friend Addon plugin <= 1.4.1 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:14.213Z

Reserved: 2025-01-16T11:26:45.457Z

Link: CVE-2025-23600

cve-icon Vulnrichment

Updated: 2025-03-03T15:56:03.038Z

cve-icon NVD

Status : Deferred

Published: 2025-03-03T14:15:43.717

Modified: 2026-06-17T08:55:41.823

Link: CVE-2025-23600

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T15:00:13Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')